Inspection of Windows Phone applications

Dmitriy Evdokimov Andrey Chasovskikh

About us

Dmitriy ‘D1g1’ Evdokimov

- Security researcher at ERPScan

- Editor of Russian hacking magazine

- DEFCON Russia (DCG #7812) organizer

Andrey Chasovskikh

- Software developer

- Windows Phone addict

2

Agenda

- Windows Phone intro

- Security model

- All about applications

- Not all applications are secure

- Tools overview

- Deep dive: finding vulnerabilities

- Conclusion

3

WINDOWS PHONE INTRO

- The successor to the Windows Mobile OS

- 15 Mar 2010 – Windows Phone 7 series announced

- 21 Oct 2010 – Windows Phone 7 released

- 29 Oct 2012 – Windows Phone 8 released

History of Windows Phone

time

version

WP7 WP7 NoDo

WP7.5 Mango WP7.5 Tango

WP8

27 Sep 2011 29 Oct 2012 21 Oct 2011

5

Market share

Source: Gartner, November 2012

6

- 125 000+ applications

- Casual apps, social networks, mobile banking, enterprise applications etc.

Windows Phone Store

7

SECURITY MODEL

- Trusted Computing Base (TCB) Kernel, kernel-mode drivers

- Elevated Rights Chamber (ERC) Services, user-mode drivers

- Standard Rights Chamber (SRC) Pre-installed applications

- Least Privileged Chamber (LPC) Applications from WP store

Chamber concept, WP7

9

- Trusted Computing Base (TCB) Kernel, kernel-mode drivers

- Least Privileged Chamber (LPC) All other software: services, pre-installed apps,

application from WP store

Chamber concept, WP8

10

Capabilities

Windows Phone 7

- Camera

- Contacts

- Location services

- Owner/phone identity

- Network services

Etc.

Undocumented

- Native code

- SMS API

- Access to user properties

- SIM API

Etc.

WMAppManifest.xml

Windows Phone 8

- All WP7 capabilities

- NFC

- SD card access

- Wallet

- Speech recognition

- Front camera

Etc.

11

Sandboxing concept

App1

Isolated chamber

App2

Isolated chamber

Isolated storage for App1

Isolated storage for App2

- No app communication in WP7 - Limited app-to-app in WP8 - File system structure is hidden - Isolated storages

12

- File associations - LaunchFileAsync()

- Reserved: xap, msi, bat, cmd, py, jar etc

- URI associations - LaunchUriAsync()

- Reserved: http, tel, wallet, LDAP, rlogin, telnet etc

- Proximity communication using NFC

App-to-App, WP8

13

Isolated Storage

Isolated Storage

Isolated Settings Storage

Files

Database

Isolated File Storage

Directory

Physical File Storage

14

- Store applications are signed in WP7

- All binaries get signed since WP8

- Application file get signed - Kind of checksum file is put into applications

- Applications XAP files have undocumented format (since Aug 2012)

Signing

15

ALL ABOUT APPLICATIONS

.NET and CLR, WP7

Applications

Developer Platform (XAML, XNA, Device services)

.NET Compact Framework (BCL + Silverlight flavor)

WP7 OS, WinCE based

17

???

Framework

18

.NET and CLR, WP8

Applications

Developer Platform (XAML, XNA, Device services)

.NET Framework (CoreCLR)

WP8 OS, Win8 based

19

Framework

20

- Application assemblies

- Resources

- AppManifest.xaml

- WMAppManifest.xml

- WMInteropManifest.xml*

Application file structure

* — optional for WP7, absent in WP8

21

Submission and certification

App Creation App Submission XAP File

Validation

Adding Metadata

Certification Testing

Signing Publication in Marketplace

Source code

.xap

22

WP7:

\Applications

\Install\<ProductID>\Install\ - Content from XAP

- WMAppPRHeader.xml (package signature)

\Data\<ProductID>\Data\IsolatedStorage

Same idea in WP8, i.e. install path:

C:\Data\Programs\<ProductID>\Install\

Applications on a device

23

NOT ALL APPLICATIONS ARE SECURE

Security assessment

Server

Device/Emulator

Data channel

App

25

App

Prepare environment - Get app (unpack/decrypt) - Configuration device/emulator

Static analysis - Properties of program compilation - Metadata analysis - Code analysis

Dynamic analysis - How application works with file system/network - Runtime code analysis

Mobile applications security assessment

26

1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure

OWASP Top 10 Mobile Risks

27

WP vs. Android vs. iOS vulnerabilities

WP7 (C#/VB) WP8 (C#/VB/C/C++)

iOS (Objective-C)

Android (Java)

Note: Main programming languages in brackets

Platform independent vulnerabilities

Platform specific vulnerabilities

28

TOOLS OVERVIEW

- Device

- Full unlock

- Emulator

- Windows Phone Device Manager

- Network proxy: Burp Suite, Charles etc.

- .NET tools: .Net Reflector, ILSpy etc.

- IDA Pro

- RAIN, Boyan Balkanski

- Windows Phone App Analyzer, David Rook

- XAPSpy, Behrang Fouladi

- XapSpyAnalysis, David Rook

Arsenal

30

Static analysis is insufficient.

Lack of dynamic analysis tools:

• IDE allows debugging with source code only

• No programmable debugging interface

• Managed code

Main issue

31

Solution: static byte code instrumentation.

Tangerine

32

- Unpacking

- Removing application signature

- Resigning assemblies

- Packing

- Deploying

Automates routine with XAP files

33

- Application info

- Application capabilities

- Code analysis

- Code structure analysis

- API usage analysis

- View IL code

Static analysis

34

- Log application stack trace

- Method names

- Method parameters

- Return values

- Run custom code

- On method enter

- Replace method

- On method exit

- Change parameters values

Dynamic analysis

35

DEEP DIVE: FINDING VULNERABILITIES

DEMO

How it works

Target application

Instrumented application

Emulator

Emulator console Tangerine log

Instrumented application

Add hooks (1)

Resign and deploy

Hooked output (2)

Log data (2)

Repeat

(1) Changing CIL code

(2) Emulator console (writing/reading)

38

CIL Instrumentation

39

- Emulator only - Does not help to overcome obfuscated code - Does not work with system assemblies - Applications from store need to be decrypted - Windows Phone 7 only

Limitations

40

Cloud Compilation, WP8

CIL Assembly

C# Source Code

MDIL Assembly C# Compiler

MDIL Compiler

Cloud

MDIL Assembly

Native Image Generator

Native DLL

Device

Download

Run

41

MDIL in work

42

R0 = this R1 = a R0 + 0x10 = j, where j is a field from base class

MDILDump

43

http://github.com/WalkingCat/mdildump/

- Support Windows Phone 8 applications

- MDIL instrumentation

- Windows Phone RT

- Add new features

- Code graphical representation

- Data flow analysis

- Fix bugs ;)

Future work

44

CONCLUSION

- Greater attack surface in WP8

- App-to-App

- Applications that use native code

- New technologies

- Logical bugs never die

Conclusion

46

- Evgeny Bechkalo

- DSecRG team

Thanks

47

Q&A

Dmitry Evdokimov d.evdokimov@erpscan.com @evdokimovds Andrey Chasovskikh http://andreycha.info @andreycha Tangerine: http://github.com/andreycha/tangerine